【eNSP实战】三层交换机使用ACL实现网络安全

拓图

要求：

1. vlan1可以访问Internet
2. vlan2和vlan3不能访问Internet和vlan1
3. vlan2和vlan3之间可以互相访问
4. PC配置如图所示，这里不展示

LSW1接口vlan配置

vlan batch 10 20 30
#
interface Vlanif1ip address 192.168.40.2 255.255.255.0
#
interface Vlanif10ip address 192.168.10.254 255.255.255.0
#
interface Vlanif20ip address 192.168.20.254 255.255.255.0
#
interface Vlanif30ip address 192.168.30.254 255.255.255.0
#
interface GigabitEthernet0/0/1port link-type accessport default vlan 10
#
interface GigabitEthernet0/0/2port link-type accessport default vlan 20
#
interface GigabitEthernet0/0/3port link-type accessport default vlan 30
#
ip route-static 0.0.0.0 0.0.0.0 192.168.40.1

AR1接口配置

interface GigabitEthernet0/0/0ip address 92.168.40.1 255.255.255.0 
#
interface GigabitEthernet0/0/1ip address 10.0.0.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.40.2

下面开始配置三层交换机ACL
LSW1配置ACL：

[LSW1]acl 3000
[LSW1-acl-adv-3000]rule 5 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[LSW1-acl-adv-3000]rule 10 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[LSW1-acl-adv-3000]rule 15 permit ip source 192.168.10.0 0.0.0.255
[LSW1-acl-adv-3000]rule 20 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
[LSW1-acl-adv-3000]rule 25 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[LSW1-acl-adv-3000]rule 30 deny ip
[LSW1-acl-adv-3000]quit

把配置好的ACL策略应用到vlan上

[LSW1]traffic-filter vlan 10 inbound acl 3000
[LSW1]traffic-filter vlan 20 inbound acl 3000
[LSW1]traffic-filter vlan 30 inbound acl 3000

至此ACL配置完成，下面测试PC2与Internet互联测试

PC2与PC3互联测试